Are IT Security Professionals Less Happy? 363
zentanu writes "It's said that if you want to be happy, be a gardener. What about IT security professionals?
Having worked as an IT security consultant for several years, I now wonder if my job has a negative influence on my happiness, because it constantly teaches me to focus on the negative side of life: I always have to think about risks and identify all sorts of things that could go wrong.
As an auditor I search for errors that others have made and haughtily tell them. As a penetration tester I break systems that system engineers and administrators have laboriously built. I assume inside threats and have to be professionally suspicious. The security mindset surely helps me in my job, but is it good for me on the long run? What kind of influence has being an IT security professional had on your general attitude towards life? What helps you stay out of pessimism and cynicism? Is protecting existing things really as good as building new ones?"
Re:If it floats your boat (Score:2, Informative)
IBM still ships their IBM i systems insecure as hell, leaving most customer setups in the same shape.
Example:
Telnet is enabled by default, but telnet/ssl is not. Everyone uses SSL. I've seen many people directly exposing Port 23 to the Net, cause the i is secure.
Oh, and don't talk about SNA and DDM Files.
haughtily (Score:1, Informative)
that's penetration, you fool.
Empathy = happiness (Score:5, Informative)
The best security consultant I met was not a super geek able to hack my Checkpoint installation. He was a very kind, easy going guy, who started by explaining that absolute security was impossible. He asked the management what was the most important stuff to protect, and against who. In a single meeting, less than one hour, he understood our business and our needs, and instead of freaking the management with catastrophe scenarios, he built a security architecture in layers around our most valuable assets.
He did not try to draw suspicion on employees at large. He asked simple questions like: what if an employee in such position is not as competent or as honest as you thought, or what if an employee in this other position starts having problems at home and this lead him to lower his standards at work? Or what if this key employee was injured and could not even communicate with his replacement for weeks?
Other good questions he asked: did you see the graffiti in the parking lot? (yes). Do you think the company or someone here was directly targeted? (No). Then why did someone make this graffiti? (Because he had a can of spray and too much time). Anybody here has a teenager at home with unsupervised access to high-speed internet? (Silence). Anybody here has a teenager at home with unsupervised access to the computer where you have your VPN client installed? (More silence).
In the end that guy provided us with an excellent audit, and a very cost-effective implementation plan for a security upgrade. I don't think he left the building feeling bad for his pessimism; instead I am pretty sure he left with a smile, knowing he helped his customers to get what they needed. Maybe the NSA or some expert hacker can find a backdoor in some obscure network appliance, but our biggest concerns, getting our product specifications stolen by the competition or our CRM database plundered by a disgruntled employee, is not gonna happen.
Re:I totally identify with this... (Score:4, Informative)
Re: "traditional security" vs. I.T. security (Score:5, Informative)
Get rid of the idiots, instead of turning people into idiots by not allowing them to learn, or bothering to teach them.
Easiest way to do that is to track who's wasting IT's time, as opposed to who's using the department wisely. When Johnny Sales calls for the tenth time in a week 'cause he just HAD to click the monkey for a better insurance deal, you or your boss should point out that Johnny blew 5 man-hours of labor that week...on a digital monkey.
Anyone that helpless needs to be replaced with someone who CAN follow policy.
Re:I totally identify with this... (Score:3, Informative)
And what both you and the GP miss is that the seal on food (e.g. the foil seal on peanut butter or the classic click-pop of a jar of grape jelly) is not a security measure, it's a safety measure. When the seal is intact, that means that the contents will be edible (up to the printed use-by date, if applicable). If the seal is broken, then the product should be considered inedible since the spoiling process will have begun at some point during shipping, rather than in your home as the manufacturer intended. In other words, the purpose is not to keep people out but to preserve the contents.
Re:Short Answer (Score:3, Informative)
That is exactly why most people don't like IT security. The true answer is that their password _can_ be the name of their dog, for 95% of users, because they won't have access to sensitive information by default.
And which are the 5%? And how do you work out which roles those are? Bonus points for describing how to integrate a data access privilege level for every user when they are first hired, when they change role, or every time the information they access changes. Oh look, it's ten thousand times easier and more secure to train everyone to do the right thing in the first place.